net/rxrpc/rxkad.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* Kerberos-based RxRPC security
0003  *
0004  * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0009
0010 #include <crypto/skcipher.h>
0011 #include <linux/module.h>
0012 #include <linux/net.h>
0013 #include <linux/skbuff.h>
0014 #include <linux/udp.h>
0015 #include <linux/scatterlist.h>
0016 #include <linux/ctype.h>
0017 #include <linux/slab.h>
0018 #include <linux/key-type.h>
0019 #include <net/sock.h>
0020 #include <net/af_rxrpc.h>
0021 #include <keys/rxrpc-type.h>
0022 #include "ar-internal.h"
0023
0024 #define RXKAD_VERSION           2
0025 #define MAXKRB5TICKETLEN        1024
0026 #define RXKAD_TKT_TYPE_KERBEROS_V5  256
0027 #define ANAME_SZ            40  /* size of authentication name */
0028 #define INST_SZ             40  /* size of principal's instance */
0029 #define REALM_SZ            40  /* size of principal's auth domain */
0030 #define SNAME_SZ            40  /* size of service name */
0031 #define RXKAD_ALIGN         8
0032
0033 struct rxkad_level1_hdr {
0034     __be32  data_size;  /* true data size (excluding padding) */
0035 };
0036
0037 struct rxkad_level2_hdr {
0038     __be32  data_size;  /* true data size (excluding padding) */
0039     __be32  checksum;   /* decrypted data checksum */
0040 };
0041
0042 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
0043                        struct crypto_sync_skcipher *ci);
0044
0045 /*
0046  * this holds a pinned cipher so that keventd doesn't get called by the cipher
0047  * alloc routine, but since we have it to hand, we use it to decrypt RESPONSE
0048  * packets
0049  */
0050 static struct crypto_sync_skcipher *rxkad_ci;
0051 static struct skcipher_request *rxkad_ci_req;
0052 static DEFINE_MUTEX(rxkad_ci_mutex);
0053
0054 /*
0055  * Parse the information from a server key
0056  *
0057  * The data should be the 8-byte secret key.
0058  */
0059 static int rxkad_preparse_server_key(struct key_preparsed_payload *prep)
0060 {
0061     struct crypto_skcipher *ci;
0062
0063     if (prep->datalen != 8)
0064         return -EINVAL;
0065
0066     memcpy(&prep->payload.data[2], prep->data, 8);
0067
0068     ci = crypto_alloc_skcipher("pcbc(des)", 0, CRYPTO_ALG_ASYNC);
0069     if (IS_ERR(ci)) {
0070         _leave(" = %ld", PTR_ERR(ci));
0071         return PTR_ERR(ci);
0072     }
0073
0074     if (crypto_skcipher_setkey(ci, prep->data, 8) < 0)
0075         BUG();
0076
0077     prep->payload.data[0] = ci;
0078     _leave(" = 0");
0079     return 0;
0080 }
0081
0082 static void rxkad_free_preparse_server_key(struct key_preparsed_payload *prep)
0083 {
0084
0085     if (prep->payload.data[0])
0086         crypto_free_skcipher(prep->payload.data[0]);
0087 }
0088
0089 static void rxkad_destroy_server_key(struct key *key)
0090 {
0091     if (key->payload.data[0]) {
0092         crypto_free_skcipher(key->payload.data[0]);
0093         key->payload.data[0] = NULL;
0094     }
0095 }
0096
0097 /*
0098  * initialise connection security
0099  */
0100 static int rxkad_init_connection_security(struct rxrpc_connection *conn,
0101                       struct rxrpc_key_token *token)
0102 {
0103     struct crypto_sync_skcipher *ci;
0104     int ret;
0105
0106     _enter("{%d},{%x}", conn->debug_id, key_serial(conn->params.key));
0107
0108     conn->security_ix = token->security_index;
0109
0110     ci = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
0111     if (IS_ERR(ci)) {
0112         _debug("no cipher");
0113         ret = PTR_ERR(ci);
0114         goto error;
0115     }
0116
0117     if (crypto_sync_skcipher_setkey(ci, token->kad->session_key,
0118                    sizeof(token->kad->session_key)) < 0)
0119         BUG();
0120
0121     switch (conn->params.security_level) {
0122     case RXRPC_SECURITY_PLAIN:
0123     case RXRPC_SECURITY_AUTH:
0124     case RXRPC_SECURITY_ENCRYPT:
0125         break;
0126     default:
0127         ret = -EKEYREJECTED;
0128         goto error;
0129     }
0130
0131     ret = rxkad_prime_packet_security(conn, ci);
0132     if (ret < 0)
0133         goto error_ci;
0134
0135     conn->rxkad.cipher = ci;
0136     return 0;
0137
0138 error_ci:
0139     crypto_free_sync_skcipher(ci);
0140 error:
0141     _leave(" = %d", ret);
0142     return ret;
0143 }
0144
0145 /*
0146  * Work out how much data we can put in a packet.
0147  */
0148 static int rxkad_how_much_data(struct rxrpc_call *call, size_t remain,
0149                    size_t *_buf_size, size_t *_data_size, size_t *_offset)
0150 {
0151     size_t shdr, buf_size, chunk;
0152
0153     switch (call->conn->params.security_level) {
0154     default:
0155         buf_size = chunk = min_t(size_t, remain, RXRPC_JUMBO_DATALEN);
0156         shdr = 0;
0157         goto out;
0158     case RXRPC_SECURITY_AUTH:
0159         shdr = sizeof(struct rxkad_level1_hdr);
0160         break;
0161     case RXRPC_SECURITY_ENCRYPT:
0162         shdr = sizeof(struct rxkad_level2_hdr);
0163         break;
0164     }
0165
0166     buf_size = round_down(RXRPC_JUMBO_DATALEN, RXKAD_ALIGN);
0167
0168     chunk = buf_size - shdr;
0169     if (remain < chunk)
0170         buf_size = round_up(shdr + remain, RXKAD_ALIGN);
0171
0172 out:
0173     *_buf_size = buf_size;
0174     *_data_size = chunk;
0175     *_offset = shdr;
0176     return 0;
0177 }
0178
0179 /*
0180  * prime the encryption state with the invariant parts of a connection's
0181  * description
0182  */
0183 static int rxkad_prime_packet_security(struct rxrpc_connection *conn,
0184                        struct crypto_sync_skcipher *ci)
0185 {
0186     struct skcipher_request *req;
0187     struct rxrpc_key_token *token;
0188     struct scatterlist sg;
0189     struct rxrpc_crypt iv;
0190     __be32 *tmpbuf;
0191     size_t tmpsize = 4 * sizeof(__be32);
0192
0193     _enter("");
0194
0195     if (!conn->params.key)
0196         return 0;
0197
0198     tmpbuf = kmalloc(tmpsize, GFP_KERNEL);
0199     if (!tmpbuf)
0200         return -ENOMEM;
0201
0202     req = skcipher_request_alloc(&ci->base, GFP_NOFS);
0203     if (!req) {
0204         kfree(tmpbuf);
0205         return -ENOMEM;
0206     }
0207
0208     token = conn->params.key->payload.data[0];
0209     memcpy(&iv, token->kad->session_key, sizeof(iv));
0210
0211     tmpbuf[0] = htonl(conn->proto.epoch);
0212     tmpbuf[1] = htonl(conn->proto.cid);
0213     tmpbuf[2] = 0;
0214     tmpbuf[3] = htonl(conn->security_ix);
0215
0216     sg_init_one(&sg, tmpbuf, tmpsize);
0217     skcipher_request_set_sync_tfm(req, ci);
0218     skcipher_request_set_callback(req, 0, NULL, NULL);
0219     skcipher_request_set_crypt(req, &sg, &sg, tmpsize, iv.x);
0220     crypto_skcipher_encrypt(req);
0221     skcipher_request_free(req);
0222
0223     memcpy(&conn->rxkad.csum_iv, tmpbuf + 2, sizeof(conn->rxkad.csum_iv));
0224     kfree(tmpbuf);
0225     _leave(" = 0");
0226     return 0;
0227 }
0228
0229 /*
0230  * Allocate and prepare the crypto request on a call.  For any particular call,
0231  * this is called serially for the packets, so no lock should be necessary.
0232  */
0233 static struct skcipher_request *rxkad_get_call_crypto(struct rxrpc_call *call)
0234 {
0235     struct crypto_skcipher *tfm = &call->conn->rxkad.cipher->base;
0236     struct skcipher_request *cipher_req = call->cipher_req;
0237
0238     if (!cipher_req) {
0239         cipher_req = skcipher_request_alloc(tfm, GFP_NOFS);
0240         if (!cipher_req)
0241             return NULL;
0242         call->cipher_req = cipher_req;
0243     }
0244
0245     return cipher_req;
0246 }
0247
0248 /*
0249  * Clean up the crypto on a call.
0250  */
0251 static void rxkad_free_call_crypto(struct rxrpc_call *call)
0252 {
0253     if (call->cipher_req)
0254         skcipher_request_free(call->cipher_req);
0255     call->cipher_req = NULL;
0256 }
0257
0258 /*
0259  * partially encrypt a packet (level 1 security)
0260  */
0261 static int rxkad_secure_packet_auth(const struct rxrpc_call *call,
0262                     struct sk_buff *skb, u32 data_size,
0263                     struct skcipher_request *req)
0264 {
0265     struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
0266     struct rxkad_level1_hdr hdr;
0267     struct rxrpc_crypt iv;
0268     struct scatterlist sg;
0269     size_t pad;
0270     u16 check;
0271
0272     _enter("");
0273
0274     check = sp->hdr.seq ^ call->call_id;
0275     data_size |= (u32)check << 16;
0276
0277     hdr.data_size = htonl(data_size);
0278     memcpy(skb->head, &hdr, sizeof(hdr));
0279
0280     pad = sizeof(struct rxkad_level1_hdr) + data_size;
0281     pad = RXKAD_ALIGN - pad;
0282     pad &= RXKAD_ALIGN - 1;
0283     if (pad)
0284         skb_put_zero(skb, pad);
0285
0286     /* start the encryption afresh */
0287     memset(&iv, 0, sizeof(iv));
0288
0289     sg_init_one(&sg, skb->head, 8);
0290     skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
0291     skcipher_request_set_callback(req, 0, NULL, NULL);
0292     skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
0293     crypto_skcipher_encrypt(req);
0294     skcipher_request_zero(req);
0295
0296     _leave(" = 0");
0297     return 0;
0298 }
0299
0300 /*
0301  * wholly encrypt a packet (level 2 security)
0302  */
0303 static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
0304                        struct sk_buff *skb,
0305                        u32 data_size,
0306                        struct skcipher_request *req)
0307 {
0308     const struct rxrpc_key_token *token;
0309     struct rxkad_level2_hdr rxkhdr;
0310     struct rxrpc_skb_priv *sp;
0311     struct rxrpc_crypt iv;
0312     struct scatterlist sg[16];
0313     unsigned int len;
0314     size_t pad;
0315     u16 check;
0316     int err;
0317
0318     sp = rxrpc_skb(skb);
0319
0320     _enter("");
0321
0322     check = sp->hdr.seq ^ call->call_id;
0323
0324     rxkhdr.data_size = htonl(data_size | (u32)check << 16);
0325     rxkhdr.checksum = 0;
0326     memcpy(skb->head, &rxkhdr, sizeof(rxkhdr));
0327
0328     pad = sizeof(struct rxkad_level2_hdr) + data_size;
0329     pad = RXKAD_ALIGN - pad;
0330     pad &= RXKAD_ALIGN - 1;
0331     if (pad)
0332         skb_put_zero(skb, pad);
0333
0334     /* encrypt from the session key */
0335     token = call->conn->params.key->payload.data[0];
0336     memcpy(&iv, token->kad->session_key, sizeof(iv));
0337
0338     sg_init_one(&sg[0], skb->head, sizeof(rxkhdr));
0339     skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
0340     skcipher_request_set_callback(req, 0, NULL, NULL);
0341     skcipher_request_set_crypt(req, &sg[0], &sg[0], sizeof(rxkhdr), iv.x);
0342     crypto_skcipher_encrypt(req);
0343
0344     /* we want to encrypt the skbuff in-place */
0345     err = -EMSGSIZE;
0346     if (skb_shinfo(skb)->nr_frags > 16)
0347         goto out;
0348
0349     len = round_up(data_size, RXKAD_ALIGN);
0350
0351     sg_init_table(sg, ARRAY_SIZE(sg));
0352     err = skb_to_sgvec(skb, sg, 8, len);
0353     if (unlikely(err < 0))
0354         goto out;
0355     skcipher_request_set_crypt(req, sg, sg, len, iv.x);
0356     crypto_skcipher_encrypt(req);
0357
0358     _leave(" = 0");
0359     err = 0;
0360
0361 out:
0362     skcipher_request_zero(req);
0363     return err;
0364 }
0365
0366 /*
0367  * checksum an RxRPC packet header
0368  */
0369 static int rxkad_secure_packet(struct rxrpc_call *call,
0370                    struct sk_buff *skb,
0371                    size_t data_size)
0372 {
0373     struct rxrpc_skb_priv *sp;
0374     struct skcipher_request *req;
0375     struct rxrpc_crypt iv;
0376     struct scatterlist sg;
0377     u32 x, y;
0378     int ret;
0379
0380     sp = rxrpc_skb(skb);
0381
0382     _enter("{%d{%x}},{#%u},%zu,",
0383            call->debug_id, key_serial(call->conn->params.key),
0384            sp->hdr.seq, data_size);
0385
0386     if (!call->conn->rxkad.cipher)
0387         return 0;
0388
0389     ret = key_validate(call->conn->params.key);
0390     if (ret < 0)
0391         return ret;
0392
0393     req = rxkad_get_call_crypto(call);
0394     if (!req)
0395         return -ENOMEM;
0396
0397     /* continue encrypting from where we left off */
0398     memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
0399
0400     /* calculate the security checksum */
0401     x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
0402     x |= sp->hdr.seq & 0x3fffffff;
0403     call->crypto_buf[0] = htonl(call->call_id);
0404     call->crypto_buf[1] = htonl(x);
0405
0406     sg_init_one(&sg, call->crypto_buf, 8);
0407     skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
0408     skcipher_request_set_callback(req, 0, NULL, NULL);
0409     skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
0410     crypto_skcipher_encrypt(req);
0411     skcipher_request_zero(req);
0412
0413     y = ntohl(call->crypto_buf[1]);
0414     y = (y >> 16) & 0xffff;
0415     if (y == 0)
0416         y = 1; /* zero checksums are not permitted */
0417     sp->hdr.cksum = y;
0418
0419     switch (call->conn->params.security_level) {
0420     case RXRPC_SECURITY_PLAIN:
0421         ret = 0;
0422         break;
0423     case RXRPC_SECURITY_AUTH:
0424         ret = rxkad_secure_packet_auth(call, skb, data_size, req);
0425         break;
0426     case RXRPC_SECURITY_ENCRYPT:
0427         ret = rxkad_secure_packet_encrypt(call, skb, data_size, req);
0428         break;
0429     default:
0430         ret = -EPERM;
0431         break;
0432     }
0433
0434     _leave(" = %d [set %x]", ret, y);
0435     return ret;
0436 }
0437
0438 /*
0439  * decrypt partial encryption on a packet (level 1 security)
0440  */
0441 static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
0442                  unsigned int offset, unsigned int len,
0443                  rxrpc_seq_t seq,
0444                  struct skcipher_request *req)
0445 {
0446     struct rxkad_level1_hdr sechdr;
0447     struct rxrpc_crypt iv;
0448     struct scatterlist sg[16];
0449     bool aborted;
0450     u32 data_size, buf;
0451     u16 check;
0452     int ret;
0453
0454     _enter("");
0455
0456     if (len < 8) {
0457         aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_hdr", "V1H",
0458                        RXKADSEALEDINCON);
0459         goto protocol_error;
0460     }
0461
0462     /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
0463      * directly into the target buffer.
0464      */
0465     sg_init_table(sg, ARRAY_SIZE(sg));
0466     ret = skb_to_sgvec(skb, sg, offset, 8);
0467     if (unlikely(ret < 0))
0468         return ret;
0469
0470     /* start the decryption afresh */
0471     memset(&iv, 0, sizeof(iv));
0472
0473     skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
0474     skcipher_request_set_callback(req, 0, NULL, NULL);
0475     skcipher_request_set_crypt(req, sg, sg, 8, iv.x);
0476     crypto_skcipher_decrypt(req);
0477     skcipher_request_zero(req);
0478
0479     /* Extract the decrypted packet length */
0480     if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
0481         aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_len", "XV1",
0482                          RXKADDATALEN);
0483         goto protocol_error;
0484     }
0485     len -= sizeof(sechdr);
0486
0487     buf = ntohl(sechdr.data_size);
0488     data_size = buf & 0xffff;
0489
0490     check = buf >> 16;
0491     check ^= seq ^ call->call_id;
0492     check &= 0xffff;
0493     if (check != 0) {
0494         aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_check", "V1C",
0495                          RXKADSEALEDINCON);
0496         goto protocol_error;
0497     }
0498
0499     if (data_size > len) {
0500         aborted = rxrpc_abort_eproto(call, skb, "rxkad_1_datalen", "V1L",
0501                          RXKADDATALEN);
0502         goto protocol_error;
0503     }
0504
0505     _leave(" = 0 [dlen=%x]", data_size);
0506     return 0;
0507
0508 protocol_error:
0509     if (aborted)
0510         rxrpc_send_abort_packet(call);
0511     return -EPROTO;
0512 }
0513
0514 /*
0515  * wholly decrypt a packet (level 2 security)
0516  */
0517 static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
0518                  unsigned int offset, unsigned int len,
0519                  rxrpc_seq_t seq,
0520                  struct skcipher_request *req)
0521 {
0522     const struct rxrpc_key_token *token;
0523     struct rxkad_level2_hdr sechdr;
0524     struct rxrpc_crypt iv;
0525     struct scatterlist _sg[4], *sg;
0526     bool aborted;
0527     u32 data_size, buf;
0528     u16 check;
0529     int nsg, ret;
0530
0531     _enter(",{%d}", skb->len);
0532
0533     if (len < 8) {
0534         aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_hdr", "V2H",
0535                          RXKADSEALEDINCON);
0536         goto protocol_error;
0537     }
0538
0539     /* Decrypt the skbuff in-place.  TODO: We really want to decrypt
0540      * directly into the target buffer.
0541      */
0542     sg = _sg;
0543     nsg = skb_shinfo(skb)->nr_frags + 1;
0544     if (nsg <= 4) {
0545         nsg = 4;
0546     } else {
0547         sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
0548         if (!sg)
0549             goto nomem;
0550     }
0551
0552     sg_init_table(sg, nsg);
0553     ret = skb_to_sgvec(skb, sg, offset, len);
0554     if (unlikely(ret < 0)) {
0555         if (sg != _sg)
0556             kfree(sg);
0557         return ret;
0558     }
0559
0560     /* decrypt from the session key */
0561     token = call->conn->params.key->payload.data[0];
0562     memcpy(&iv, token->kad->session_key, sizeof(iv));
0563
0564     skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
0565     skcipher_request_set_callback(req, 0, NULL, NULL);
0566     skcipher_request_set_crypt(req, sg, sg, len, iv.x);
0567     crypto_skcipher_decrypt(req);
0568     skcipher_request_zero(req);
0569     if (sg != _sg)
0570         kfree(sg);
0571
0572     /* Extract the decrypted packet length */
0573     if (skb_copy_bits(skb, offset, &sechdr, sizeof(sechdr)) < 0) {
0574         aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_len", "XV2",
0575                          RXKADDATALEN);
0576         goto protocol_error;
0577     }
0578     len -= sizeof(sechdr);
0579
0580     buf = ntohl(sechdr.data_size);
0581     data_size = buf & 0xffff;
0582
0583     check = buf >> 16;
0584     check ^= seq ^ call->call_id;
0585     check &= 0xffff;
0586     if (check != 0) {
0587         aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_check", "V2C",
0588                          RXKADSEALEDINCON);
0589         goto protocol_error;
0590     }
0591
0592     if (data_size > len) {
0593         aborted = rxrpc_abort_eproto(call, skb, "rxkad_2_datalen", "V2L",
0594                          RXKADDATALEN);
0595         goto protocol_error;
0596     }
0597
0598     _leave(" = 0 [dlen=%x]", data_size);
0599     return 0;
0600
0601 protocol_error:
0602     if (aborted)
0603         rxrpc_send_abort_packet(call);
0604     return -EPROTO;
0605
0606 nomem:
0607     _leave(" = -ENOMEM");
0608     return -ENOMEM;
0609 }
0610
0611 /*
0612  * Verify the security on a received packet or subpacket (if part of a
0613  * jumbo packet).
0614  */
0615 static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb,
0616                    unsigned int offset, unsigned int len,
0617                    rxrpc_seq_t seq, u16 expected_cksum)
0618 {
0619     struct skcipher_request *req;
0620     struct rxrpc_crypt iv;
0621     struct scatterlist sg;
0622     bool aborted;
0623     u16 cksum;
0624     u32 x, y;
0625
0626     _enter("{%d{%x}},{#%u}",
0627            call->debug_id, key_serial(call->conn->params.key), seq);
0628
0629     if (!call->conn->rxkad.cipher)
0630         return 0;
0631
0632     req = rxkad_get_call_crypto(call);
0633     if (!req)
0634         return -ENOMEM;
0635
0636     /* continue encrypting from where we left off */
0637     memcpy(&iv, call->conn->rxkad.csum_iv.x, sizeof(iv));
0638
0639     /* validate the security checksum */
0640     x = (call->cid & RXRPC_CHANNELMASK) << (32 - RXRPC_CIDSHIFT);
0641     x |= seq & 0x3fffffff;
0642     call->crypto_buf[0] = htonl(call->call_id);
0643     call->crypto_buf[1] = htonl(x);
0644
0645     sg_init_one(&sg, call->crypto_buf, 8);
0646     skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
0647     skcipher_request_set_callback(req, 0, NULL, NULL);
0648     skcipher_request_set_crypt(req, &sg, &sg, 8, iv.x);
0649     crypto_skcipher_encrypt(req);
0650     skcipher_request_zero(req);
0651
0652     y = ntohl(call->crypto_buf[1]);
0653     cksum = (y >> 16) & 0xffff;
0654     if (cksum == 0)
0655         cksum = 1; /* zero checksums are not permitted */
0656
0657     if (cksum != expected_cksum) {
0658         aborted = rxrpc_abort_eproto(call, skb, "rxkad_csum", "VCK",
0659                          RXKADSEALEDINCON);
0660         goto protocol_error;
0661     }
0662
0663     switch (call->conn->params.security_level) {
0664     case RXRPC_SECURITY_PLAIN:
0665         return 0;
0666     case RXRPC_SECURITY_AUTH:
0667         return rxkad_verify_packet_1(call, skb, offset, len, seq, req);
0668     case RXRPC_SECURITY_ENCRYPT:
0669         return rxkad_verify_packet_2(call, skb, offset, len, seq, req);
0670     default:
0671         return -ENOANO;
0672     }
0673
0674 protocol_error:
0675     if (aborted)
0676         rxrpc_send_abort_packet(call);
0677     return -EPROTO;
0678 }
0679
0680 /*
0681  * Locate the data contained in a packet that was partially encrypted.
0682  */
0683 static void rxkad_locate_data_1(struct rxrpc_call *call, struct sk_buff *skb,
0684                 unsigned int *_offset, unsigned int *_len)
0685 {
0686     struct rxkad_level1_hdr sechdr;
0687
0688     if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
0689         BUG();
0690     *_offset += sizeof(sechdr);
0691     *_len = ntohl(sechdr.data_size) & 0xffff;
0692 }
0693
0694 /*
0695  * Locate the data contained in a packet that was completely encrypted.
0696  */
0697 static void rxkad_locate_data_2(struct rxrpc_call *call, struct sk_buff *skb,
0698                 unsigned int *_offset, unsigned int *_len)
0699 {
0700     struct rxkad_level2_hdr sechdr;
0701
0702     if (skb_copy_bits(skb, *_offset, &sechdr, sizeof(sechdr)) < 0)
0703         BUG();
0704     *_offset += sizeof(sechdr);
0705     *_len = ntohl(sechdr.data_size) & 0xffff;
0706 }
0707
0708 /*
0709  * Locate the data contained in an already decrypted packet.
0710  */
0711 static void rxkad_locate_data(struct rxrpc_call *call, struct sk_buff *skb,
0712                   unsigned int *_offset, unsigned int *_len)
0713 {
0714     switch (call->conn->params.security_level) {
0715     case RXRPC_SECURITY_AUTH:
0716         rxkad_locate_data_1(call, skb, _offset, _len);
0717         return;
0718     case RXRPC_SECURITY_ENCRYPT:
0719         rxkad_locate_data_2(call, skb, _offset, _len);
0720         return;
0721     default:
0722         return;
0723     }
0724 }
0725
0726 /*
0727  * issue a challenge
0728  */
0729 static int rxkad_issue_challenge(struct rxrpc_connection *conn)
0730 {
0731     struct rxkad_challenge challenge;
0732     struct rxrpc_wire_header whdr;
0733     struct msghdr msg;
0734     struct kvec iov[2];
0735     size_t len;
0736     u32 serial;
0737     int ret;
0738
0739     _enter("{%d}", conn->debug_id);
0740
0741     get_random_bytes(&conn->rxkad.nonce, sizeof(conn->rxkad.nonce));
0742
0743     challenge.version   = htonl(2);
0744     challenge.nonce     = htonl(conn->rxkad.nonce);
0745     challenge.min_level = htonl(0);
0746     challenge.__padding = 0;
0747
0748     msg.msg_name    = &conn->params.peer->srx.transport;
0749     msg.msg_namelen = conn->params.peer->srx.transport_len;
0750     msg.msg_control = NULL;
0751     msg.msg_controllen = 0;
0752     msg.msg_flags   = 0;
0753
0754     whdr.epoch  = htonl(conn->proto.epoch);
0755     whdr.cid    = htonl(conn->proto.cid);
0756     whdr.callNumber = 0;
0757     whdr.seq    = 0;
0758     whdr.type   = RXRPC_PACKET_TYPE_CHALLENGE;
0759     whdr.flags  = conn->out_clientflag;
0760     whdr.userStatus = 0;
0761     whdr.securityIndex = conn->security_ix;
0762     whdr._rsvd  = 0;
0763     whdr.serviceId  = htons(conn->service_id);
0764
0765     iov[0].iov_base = &whdr;
0766     iov[0].iov_len  = sizeof(whdr);
0767     iov[1].iov_base = &challenge;
0768     iov[1].iov_len  = sizeof(challenge);
0769
0770     len = iov[0].iov_len + iov[1].iov_len;
0771
0772     serial = atomic_inc_return(&conn->serial);
0773     whdr.serial = htonl(serial);
0774     _proto("Tx CHALLENGE %%%u", serial);
0775
0776     ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
0777     if (ret < 0) {
0778         trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
0779                     rxrpc_tx_point_rxkad_challenge);
0780         return -EAGAIN;
0781     }
0782
0783     conn->params.peer->last_tx_at = ktime_get_seconds();
0784     trace_rxrpc_tx_packet(conn->debug_id, &whdr,
0785                   rxrpc_tx_point_rxkad_challenge);
0786     _leave(" = 0");
0787     return 0;
0788 }
0789
0790 /*
0791  * send a Kerberos security response
0792  */
0793 static int rxkad_send_response(struct rxrpc_connection *conn,
0794                    struct rxrpc_host_header *hdr,
0795                    struct rxkad_response *resp,
0796                    const struct rxkad_key *s2)
0797 {
0798     struct rxrpc_wire_header whdr;
0799     struct msghdr msg;
0800     struct kvec iov[3];
0801     size_t len;
0802     u32 serial;
0803     int ret;
0804
0805     _enter("");
0806
0807     msg.msg_name    = &conn->params.peer->srx.transport;
0808     msg.msg_namelen = conn->params.peer->srx.transport_len;
0809     msg.msg_control = NULL;
0810     msg.msg_controllen = 0;
0811     msg.msg_flags   = 0;
0812
0813     memset(&whdr, 0, sizeof(whdr));
0814     whdr.epoch  = htonl(hdr->epoch);
0815     whdr.cid    = htonl(hdr->cid);
0816     whdr.type   = RXRPC_PACKET_TYPE_RESPONSE;
0817     whdr.flags  = conn->out_clientflag;
0818     whdr.securityIndex = hdr->securityIndex;
0819     whdr.serviceId  = htons(hdr->serviceId);
0820
0821     iov[0].iov_base = &whdr;
0822     iov[0].iov_len  = sizeof(whdr);
0823     iov[1].iov_base = resp;
0824     iov[1].iov_len  = sizeof(*resp);
0825     iov[2].iov_base = (void *)s2->ticket;
0826     iov[2].iov_len  = s2->ticket_len;
0827
0828     len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
0829
0830     serial = atomic_inc_return(&conn->serial);
0831     whdr.serial = htonl(serial);
0832     _proto("Tx RESPONSE %%%u", serial);
0833
0834     ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
0835     if (ret < 0) {
0836         trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
0837                     rxrpc_tx_point_rxkad_response);
0838         return -EAGAIN;
0839     }
0840
0841     conn->params.peer->last_tx_at = ktime_get_seconds();
0842     _leave(" = 0");
0843     return 0;
0844 }
0845
0846 /*
0847  * calculate the response checksum
0848  */
0849 static void rxkad_calc_response_checksum(struct rxkad_response *response)
0850 {
0851     u32 csum = 1000003;
0852     int loop;
0853     u8 *p = (u8 *) response;
0854
0855     for (loop = sizeof(*response); loop > 0; loop--)
0856         csum = csum * 0x10204081 + *p++;
0857
0858     response->encrypted.checksum = htonl(csum);
0859 }
0860
0861 /*
0862  * encrypt the response packet
0863  */
0864 static int rxkad_encrypt_response(struct rxrpc_connection *conn,
0865                   struct rxkad_response *resp,
0866                   const struct rxkad_key *s2)
0867 {
0868     struct skcipher_request *req;
0869     struct rxrpc_crypt iv;
0870     struct scatterlist sg[1];
0871
0872     req = skcipher_request_alloc(&conn->rxkad.cipher->base, GFP_NOFS);
0873     if (!req)
0874         return -ENOMEM;
0875
0876     /* continue encrypting from where we left off */
0877     memcpy(&iv, s2->session_key, sizeof(iv));
0878
0879     sg_init_table(sg, 1);
0880     sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
0881     skcipher_request_set_sync_tfm(req, conn->rxkad.cipher);
0882     skcipher_request_set_callback(req, 0, NULL, NULL);
0883     skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
0884     crypto_skcipher_encrypt(req);
0885     skcipher_request_free(req);
0886     return 0;
0887 }
0888
0889 /*
0890  * respond to a challenge packet
0891  */
0892 static int rxkad_respond_to_challenge(struct rxrpc_connection *conn,
0893                       struct sk_buff *skb,
0894                       u32 *_abort_code)
0895 {
0896     const struct rxrpc_key_token *token;
0897     struct rxkad_challenge challenge;
0898     struct rxkad_response *resp;
0899     struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
0900     const char *eproto;
0901     u32 version, nonce, min_level, abort_code;
0902     int ret;
0903
0904     _enter("{%d,%x}", conn->debug_id, key_serial(conn->params.key));
0905
0906     eproto = tracepoint_string("chall_no_key");
0907     abort_code = RX_PROTOCOL_ERROR;
0908     if (!conn->params.key)
0909         goto protocol_error;
0910
0911     abort_code = RXKADEXPIRED;
0912     ret = key_validate(conn->params.key);
0913     if (ret < 0)
0914         goto other_error;
0915
0916     eproto = tracepoint_string("chall_short");
0917     abort_code = RXKADPACKETSHORT;
0918     if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
0919               &challenge, sizeof(challenge)) < 0)
0920         goto protocol_error;
0921
0922     version = ntohl(challenge.version);
0923     nonce = ntohl(challenge.nonce);
0924     min_level = ntohl(challenge.min_level);
0925
0926     _proto("Rx CHALLENGE %%%u { v=%u n=%u ml=%u }",
0927            sp->hdr.serial, version, nonce, min_level);
0928
0929     eproto = tracepoint_string("chall_ver");
0930     abort_code = RXKADINCONSISTENCY;
0931     if (version != RXKAD_VERSION)
0932         goto protocol_error;
0933
0934     abort_code = RXKADLEVELFAIL;
0935     ret = -EACCES;
0936     if (conn->params.security_level < min_level)
0937         goto other_error;
0938
0939     token = conn->params.key->payload.data[0];
0940
0941     /* build the response packet */
0942     resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
0943     if (!resp)
0944         return -ENOMEM;
0945
0946     resp->version           = htonl(RXKAD_VERSION);
0947     resp->encrypted.epoch       = htonl(conn->proto.epoch);
0948     resp->encrypted.cid     = htonl(conn->proto.cid);
0949     resp->encrypted.securityIndex   = htonl(conn->security_ix);
0950     resp->encrypted.inc_nonce   = htonl(nonce + 1);
0951     resp->encrypted.level       = htonl(conn->params.security_level);
0952     resp->kvno          = htonl(token->kad->kvno);
0953     resp->ticket_len        = htonl(token->kad->ticket_len);
0954     resp->encrypted.call_id[0]  = htonl(conn->channels[0].call_counter);
0955     resp->encrypted.call_id[1]  = htonl(conn->channels[1].call_counter);
0956     resp->encrypted.call_id[2]  = htonl(conn->channels[2].call_counter);
0957     resp->encrypted.call_id[3]  = htonl(conn->channels[3].call_counter);
0958
0959     /* calculate the response checksum and then do the encryption */
0960     rxkad_calc_response_checksum(resp);
0961     ret = rxkad_encrypt_response(conn, resp, token->kad);
0962     if (ret == 0)
0963         ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad);
0964     kfree(resp);
0965     return ret;
0966
0967 protocol_error:
0968     trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
0969     ret = -EPROTO;
0970 other_error:
0971     *_abort_code = abort_code;
0972     return ret;
0973 }
0974
0975 /*
0976  * decrypt the kerberos IV ticket in the response
0977  */
0978 static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
0979                 struct key *server_key,
0980                 struct sk_buff *skb,
0981                 void *ticket, size_t ticket_len,
0982                 struct rxrpc_crypt *_session_key,
0983                 time64_t *_expiry,
0984                 u32 *_abort_code)
0985 {
0986     struct skcipher_request *req;
0987     struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
0988     struct rxrpc_crypt iv, key;
0989     struct scatterlist sg[1];
0990     struct in_addr addr;
0991     unsigned int life;
0992     const char *eproto;
0993     time64_t issue, now;
0994     bool little_endian;
0995     int ret;
0996     u32 abort_code;
0997     u8 *p, *q, *name, *end;
0998
0999     _enter("{%d},{%x}", conn->debug_id, key_serial(server_key));
1000
1001     *_expiry = 0;
1002
1003     ASSERT(server_key->payload.data[0] != NULL);
1004     ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
1005
1006     memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
1007
1008     ret = -ENOMEM;
1009     req = skcipher_request_alloc(server_key->payload.data[0], GFP_NOFS);
1010     if (!req)
1011         goto temporary_error;
1012
1013     sg_init_one(&sg[0], ticket, ticket_len);
1014     skcipher_request_set_callback(req, 0, NULL, NULL);
1015     skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
1016     crypto_skcipher_decrypt(req);
1017     skcipher_request_free(req);
1018
1019     p = ticket;
1020     end = p + ticket_len;
1021
1022 #define Z(field)                    \
1023     ({                      \
1024         u8 *__str = p;              \
1025         eproto = tracepoint_string("rxkad_bad_"#field); \
1026         q = memchr(p, 0, end - p);      \
1027         if (!q || q - p > (field##_SZ))     \
1028             goto bad_ticket;        \
1029         for (; p < q; p++)          \
1030             if (!isprint(*p))       \
1031                 goto bad_ticket;    \
1032         p++;                    \
1033         __str;                  \
1034     })
1035
1036     /* extract the ticket flags */
1037     _debug("KIV FLAGS: %x", *p);
1038     little_endian = *p & 1;
1039     p++;
1040
1041     /* extract the authentication name */
1042     name = Z(ANAME);
1043     _debug("KIV ANAME: %s", name);
1044
1045     /* extract the principal's instance */
1046     name = Z(INST);
1047     _debug("KIV INST : %s", name);
1048
1049     /* extract the principal's authentication domain */
1050     name = Z(REALM);
1051     _debug("KIV REALM: %s", name);
1052
1053     eproto = tracepoint_string("rxkad_bad_len");
1054     if (end - p < 4 + 8 + 4 + 2)
1055         goto bad_ticket;
1056
1057     /* get the IPv4 address of the entity that requested the ticket */
1058     memcpy(&addr, p, sizeof(addr));
1059     p += 4;
1060     _debug("KIV ADDR : %pI4", &addr);
1061
1062     /* get the session key from the ticket */
1063     memcpy(&key, p, sizeof(key));
1064     p += 8;
1065     _debug("KIV KEY  : %08x %08x", ntohl(key.n[0]), ntohl(key.n[1]));
1066     memcpy(_session_key, &key, sizeof(key));
1067
1068     /* get the ticket's lifetime */
1069     life = *p++ * 5 * 60;
1070     _debug("KIV LIFE : %u", life);
1071
1072     /* get the issue time of the ticket */
1073     if (little_endian) {
1074         __le32 stamp;
1075         memcpy(&stamp, p, 4);
1076         issue = rxrpc_u32_to_time64(le32_to_cpu(stamp));
1077     } else {
1078         __be32 stamp;
1079         memcpy(&stamp, p, 4);
1080         issue = rxrpc_u32_to_time64(be32_to_cpu(stamp));
1081     }
1082     p += 4;
1083     now = ktime_get_real_seconds();
1084     _debug("KIV ISSUE: %llx [%llx]", issue, now);
1085
1086     /* check the ticket is in date */
1087     if (issue > now) {
1088         abort_code = RXKADNOAUTH;
1089         ret = -EKEYREJECTED;
1090         goto other_error;
1091     }
1092
1093     if (issue < now - life) {
1094         abort_code = RXKADEXPIRED;
1095         ret = -EKEYEXPIRED;
1096         goto other_error;
1097     }
1098
1099     *_expiry = issue + life;
1100
1101     /* get the service name */
1102     name = Z(SNAME);
1103     _debug("KIV SNAME: %s", name);
1104
1105     /* get the service instance name */
1106     name = Z(INST);
1107     _debug("KIV SINST: %s", name);
1108     return 0;
1109
1110 bad_ticket:
1111     trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1112     abort_code = RXKADBADTICKET;
1113     ret = -EPROTO;
1114 other_error:
1115     *_abort_code = abort_code;
1116     return ret;
1117 temporary_error:
1118     return ret;
1119 }
1120
1121 /*
1122  * decrypt the response packet
1123  */
1124 static void rxkad_decrypt_response(struct rxrpc_connection *conn,
1125                    struct rxkad_response *resp,
1126                    const struct rxrpc_crypt *session_key)
1127 {
1128     struct skcipher_request *req = rxkad_ci_req;
1129     struct scatterlist sg[1];
1130     struct rxrpc_crypt iv;
1131
1132     _enter(",,%08x%08x",
1133            ntohl(session_key->n[0]), ntohl(session_key->n[1]));
1134
1135     mutex_lock(&rxkad_ci_mutex);
1136     if (crypto_sync_skcipher_setkey(rxkad_ci, session_key->x,
1137                     sizeof(*session_key)) < 0)
1138         BUG();
1139
1140     memcpy(&iv, session_key, sizeof(iv));
1141
1142     sg_init_table(sg, 1);
1143     sg_set_buf(sg, &resp->encrypted, sizeof(resp->encrypted));
1144     skcipher_request_set_sync_tfm(req, rxkad_ci);
1145     skcipher_request_set_callback(req, 0, NULL, NULL);
1146     skcipher_request_set_crypt(req, sg, sg, sizeof(resp->encrypted), iv.x);
1147     crypto_skcipher_decrypt(req);
1148     skcipher_request_zero(req);
1149
1150     mutex_unlock(&rxkad_ci_mutex);
1151
1152     _leave("");
1153 }
1154
1155 /*
1156  * verify a response
1157  */
1158 static int rxkad_verify_response(struct rxrpc_connection *conn,
1159                  struct sk_buff *skb,
1160                  u32 *_abort_code)
1161 {
1162     struct rxkad_response *response;
1163     struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
1164     struct rxrpc_crypt session_key;
1165     struct key *server_key;
1166     const char *eproto;
1167     time64_t expiry;
1168     void *ticket;
1169     u32 abort_code, version, kvno, ticket_len, level;
1170     __be32 csum;
1171     int ret, i;
1172
1173     _enter("{%d}", conn->debug_id);
1174
1175     server_key = rxrpc_look_up_server_security(conn, skb, 0, 0);
1176     if (IS_ERR(server_key)) {
1177         switch (PTR_ERR(server_key)) {
1178         case -ENOKEY:
1179             abort_code = RXKADUNKNOWNKEY;
1180             break;
1181         case -EKEYEXPIRED:
1182             abort_code = RXKADEXPIRED;
1183             break;
1184         default:
1185             abort_code = RXKADNOAUTH;
1186             break;
1187         }
1188         trace_rxrpc_abort(0, "SVK",
1189                   sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq,
1190                   abort_code, PTR_ERR(server_key));
1191         *_abort_code = abort_code;
1192         return -EPROTO;
1193     }
1194
1195     ret = -ENOMEM;
1196     response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
1197     if (!response)
1198         goto temporary_error;
1199
1200     eproto = tracepoint_string("rxkad_rsp_short");
1201     abort_code = RXKADPACKETSHORT;
1202     if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
1203               response, sizeof(*response)) < 0)
1204         goto protocol_error;
1205
1206     version = ntohl(response->version);
1207     ticket_len = ntohl(response->ticket_len);
1208     kvno = ntohl(response->kvno);
1209     _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }",
1210            sp->hdr.serial, version, kvno, ticket_len);
1211
1212     eproto = tracepoint_string("rxkad_rsp_ver");
1213     abort_code = RXKADINCONSISTENCY;
1214     if (version != RXKAD_VERSION)
1215         goto protocol_error;
1216
1217     eproto = tracepoint_string("rxkad_rsp_tktlen");
1218     abort_code = RXKADTICKETLEN;
1219     if (ticket_len < 4 || ticket_len > MAXKRB5TICKETLEN)
1220         goto protocol_error;
1221
1222     eproto = tracepoint_string("rxkad_rsp_unkkey");
1223     abort_code = RXKADUNKNOWNKEY;
1224     if (kvno >= RXKAD_TKT_TYPE_KERBEROS_V5)
1225         goto protocol_error;
1226
1227     /* extract the kerberos ticket and decrypt and decode it */
1228     ret = -ENOMEM;
1229     ticket = kmalloc(ticket_len, GFP_NOFS);
1230     if (!ticket)
1231         goto temporary_error_free_resp;
1232
1233     eproto = tracepoint_string("rxkad_tkt_short");
1234     abort_code = RXKADPACKETSHORT;
1235     if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
1236               ticket, ticket_len) < 0)
1237         goto protocol_error_free;
1238
1239     ret = rxkad_decrypt_ticket(conn, server_key, skb, ticket, ticket_len,
1240                    &session_key, &expiry, _abort_code);
1241     if (ret < 0)
1242         goto temporary_error_free_ticket;
1243
1244     /* use the session key from inside the ticket to decrypt the
1245      * response */
1246     rxkad_decrypt_response(conn, response, &session_key);
1247
1248     eproto = tracepoint_string("rxkad_rsp_param");
1249     abort_code = RXKADSEALEDINCON;
1250     if (ntohl(response->encrypted.epoch) != conn->proto.epoch)
1251         goto protocol_error_free;
1252     if (ntohl(response->encrypted.cid) != conn->proto.cid)
1253         goto protocol_error_free;
1254     if (ntohl(response->encrypted.securityIndex) != conn->security_ix)
1255         goto protocol_error_free;
1256     csum = response->encrypted.checksum;
1257     response->encrypted.checksum = 0;
1258     rxkad_calc_response_checksum(response);
1259     eproto = tracepoint_string("rxkad_rsp_csum");
1260     if (response->encrypted.checksum != csum)
1261         goto protocol_error_free;
1262
1263     spin_lock(&conn->bundle->channel_lock);
1264     for (i = 0; i < RXRPC_MAXCALLS; i++) {
1265         struct rxrpc_call *call;
1266         u32 call_id = ntohl(response->encrypted.call_id[i]);
1267
1268         eproto = tracepoint_string("rxkad_rsp_callid");
1269         if (call_id > INT_MAX)
1270             goto protocol_error_unlock;
1271
1272         eproto = tracepoint_string("rxkad_rsp_callctr");
1273         if (call_id < conn->channels[i].call_counter)
1274             goto protocol_error_unlock;
1275
1276         eproto = tracepoint_string("rxkad_rsp_callst");
1277         if (call_id > conn->channels[i].call_counter) {
1278             call = rcu_dereference_protected(
1279                 conn->channels[i].call,
1280                 lockdep_is_held(&conn->bundle->channel_lock));
1281             if (call && call->state < RXRPC_CALL_COMPLETE)
1282                 goto protocol_error_unlock;
1283             conn->channels[i].call_counter = call_id;
1284         }
1285     }
1286     spin_unlock(&conn->bundle->channel_lock);
1287
1288     eproto = tracepoint_string("rxkad_rsp_seq");
1289     abort_code = RXKADOUTOFSEQUENCE;
1290     if (ntohl(response->encrypted.inc_nonce) != conn->rxkad.nonce + 1)
1291         goto protocol_error_free;
1292
1293     eproto = tracepoint_string("rxkad_rsp_level");
1294     abort_code = RXKADLEVELFAIL;
1295     level = ntohl(response->encrypted.level);
1296     if (level > RXRPC_SECURITY_ENCRYPT)
1297         goto protocol_error_free;
1298     conn->params.security_level = level;
1299
1300     /* create a key to hold the security data and expiration time - after
1301      * this the connection security can be handled in exactly the same way
1302      * as for a client connection */
1303     ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
1304     if (ret < 0)
1305         goto temporary_error_free_ticket;
1306
1307     kfree(ticket);
1308     kfree(response);
1309     _leave(" = 0");
1310     return 0;
1311
1312 protocol_error_unlock:
1313     spin_unlock(&conn->bundle->channel_lock);
1314 protocol_error_free:
1315     kfree(ticket);
1316 protocol_error:
1317     kfree(response);
1318     trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto);
1319     key_put(server_key);
1320     *_abort_code = abort_code;
1321     return -EPROTO;
1322
1323 temporary_error_free_ticket:
1324     kfree(ticket);
1325 temporary_error_free_resp:
1326     kfree(response);
1327 temporary_error:
1328     /* Ignore the response packet if we got a temporary error such as
1329      * ENOMEM.  We just want to send the challenge again.  Note that we
1330      * also come out this way if the ticket decryption fails.
1331      */
1332     key_put(server_key);
1333     return ret;
1334 }
1335
1336 /*
1337  * clear the connection security
1338  */
1339 static void rxkad_clear(struct rxrpc_connection *conn)
1340 {
1341     _enter("");
1342
1343     if (conn->rxkad.cipher)
1344         crypto_free_sync_skcipher(conn->rxkad.cipher);
1345 }
1346
1347 /*
1348  * Initialise the rxkad security service.
1349  */
1350 static int rxkad_init(void)
1351 {
1352     struct crypto_sync_skcipher *tfm;
1353     struct skcipher_request *req;
1354
1355     /* pin the cipher we need so that the crypto layer doesn't invoke
1356      * keventd to go get it */
1357     tfm = crypto_alloc_sync_skcipher("pcbc(fcrypt)", 0, 0);
1358     if (IS_ERR(tfm))
1359         return PTR_ERR(tfm);
1360
1361     req = skcipher_request_alloc(&tfm->base, GFP_KERNEL);
1362     if (!req)
1363         goto nomem_tfm;
1364
1365     rxkad_ci_req = req;
1366     rxkad_ci = tfm;
1367     return 0;
1368
1369 nomem_tfm:
1370     crypto_free_sync_skcipher(tfm);
1371     return -ENOMEM;
1372 }
1373
1374 /*
1375  * Clean up the rxkad security service.
1376  */
1377 static void rxkad_exit(void)
1378 {
1379     crypto_free_sync_skcipher(rxkad_ci);
1380     skcipher_request_free(rxkad_ci_req);
1381 }
1382
1383 /*
1384  * RxRPC Kerberos-based security
1385  */
1386 const struct rxrpc_security rxkad = {
1387     .name               = "rxkad",
1388     .security_index         = RXRPC_SECURITY_RXKAD,
1389     .no_key_abort           = RXKADUNKNOWNKEY,
1390     .init               = rxkad_init,
1391     .exit               = rxkad_exit,
1392     .preparse_server_key        = rxkad_preparse_server_key,
1393     .free_preparse_server_key   = rxkad_free_preparse_server_key,
1394     .destroy_server_key     = rxkad_destroy_server_key,
1395     .init_connection_security   = rxkad_init_connection_security,
1396     .how_much_data          = rxkad_how_much_data,
1397     .secure_packet          = rxkad_secure_packet,
1398     .verify_packet          = rxkad_verify_packet,
1399     .free_call_crypto       = rxkad_free_call_crypto,
1400     .locate_data            = rxkad_locate_data,
1401     .issue_challenge        = rxkad_issue_challenge,
1402     .respond_to_challenge       = rxkad_respond_to_challenge,
1403     .verify_response        = rxkad_verify_response,
1404     .clear              = rxkad_clear,
1405 };